Jump to content
funtoo forums
mlinuxgada

Funtoo release model

Recommended Posts

@zogg if you are looking for others to do the work for you and keep everything up-to-date for you, this is not the right distro for you. We track CVEs that are reported on the bug tracker and we actively incorporate any CVE fixes. But they need to be reported on the bug tracker. Definitely use Gentoo if you want a bunch of developers to do all the work for you.

Share this post


Link to post
Share on other sites

Just to expand on this, it is perfectly fine for us to be a bit behind Gentoo in terms of updates, and even quality of ebuilds in some areas. We will improve, as I get more videos out to help our community do better and my job is to keep our bug tracker responsive to reported issues. I think it is important to be realistic and realize where we are now, it would be foolish to think that a small community is doing everything it needs. That is fine -- we are improving. That is the key thing.

Share this post


Link to post
Share on other sites

And to expand on this some more --

While it's true that we don't have a dedicated security team and rely on users to report CVE's, this doesn't mean that we trail behind Gentoo in all areas. For example, we have a fix in gettext for CVE-2018-18751 that gentoo does not appear to have. We also had important fixes for avahi remote exploits before Gentoo.

In general this means that our ability to be up-to-date with CVEs depends upon our users' ability to report these. In areas where we have had good reports, we have sometimes had things fixed sooner.

Share this post


Link to post
Share on other sites
On 4/27/2019 at 6:01 PM, jhan said:

What is the problem with golang?

In https://code.funtoo.org/bitbucket/projects/AUTO/repos/lang-kit/browse/dev-lang/go?at=refs%2Fheads%2F1.3-release we have version 1.11.4 and in https://code.funtoo.org/bitbucket/projects/CORE/repos/kit-fixups/browse/lang-kit/curated/dev-lang/go already 1.12.4, which is the current golang version.

There is also an open bug (https://bugs.funtoo.org/browse/FL-6353) that might affect the distribution of packages under the lang-kit but you should have at least version 1.11.4 on your system.

 

It was updated yesterday (I assume because of the post) to 1.12.x  :D 

Before as I see from Januar 03 we had 1.11.4 which has vulnerability in link below, vulnerability was published at 24th of January, which gives us Feb, March + almost April till yesterday.

 https://www.cvedetails.com/vulnerability-list/vendor_id-14185/product_id-29205/version_id-280874/Golang-GO-1.11.4.html

 

Though my point is not specific software, but that switching release model doesn't make automatically everything perfect and stable (secure is stable in my opinion at 2019). I think that Funtoo has less maintainers and people contributing vs same Gentoo and instead of switching, as a solution thinking it would take less time and power to maintain system, while keeping it stable, would not resolve the issue. And as all work done in Gentoo can be utilized as well, maybe instead of more and more breaking compatibility (after all most of us came from Gentoo, which was also Daniel's creation) it can be used as experimental, current can be more stable and stable would have releases maybe with some LTS tagged once. The basic same idea of stable, masked, hard masked. Where power is thrown to automate the process of merge from Gentoo with patching what is needed. At least till the user base grows.

 

Anyway it's just my opinion and for sure anything can suit everyone, after all it would be fair to tell me - "you want something different — you can always make your own", as it's easier to give critics from the couch :P

Share this post


Link to post
Share on other sites
On 4/27/2019 at 6:33 PM, drobbins said:

@zogg if you are looking for others to do the work for you and keep everything up-to-date for you, this is not the right distro for you. We track CVEs that are reported on the bug tracker and we actively incorporate any CVE fixes. But they need to be reported on the bug tracker. Definitely use Gentoo if you want a bunch of developers to do all the work for you.

wrote previous reply before read yours :)

in general I do agree with you, but I do not compare with Gentoo, I suggest to co-exist as with any other useful resources that can be used, that's it.

 

Share this post


Link to post
Share on other sites
8 hours ago, zogg said:

It was updated yesterday (I assume because of the post) to 1.12.x  :D 

Before as I see from Januar 03 we had 1.11.4 which has vulnerability in link below, vulnerability was published at 24th of January, which gives us Feb, March + almost April till yesterday.

 https://www.cvedetails.com/vulnerability-list/vendor_id-14185/product_id-29205/version_id-280874/Golang-GO-1.11.4.html

If you really would have any interest in helping out and have read the links I posted, you would have noticed that your assumption is wrong.

The update from 1.11.4 to 1.12.3 was done with bug report https://bugs.funtoo.org/browse/FL-6342 on April 10 and then to 1.12.4 with https://bugs.funtoo.org/browse/FL-6352 on April 13. The reason why those versions did not appear with ego sync on your computer you could have found on the bug report I posted above.

And if you had knowledge about this vulnerability earlier, why didn't you report it? Or even better, provided a fix?

Share this post


Link to post
Share on other sites
4 hours ago, jhan said:

If you really would have any interest in helping out and have read the links I posted, you would have noticed that your assumption is wrong.

The update from 1.11.4 to 1.12.3 was done with bug report https://bugs.funtoo.org/browse/FL-6342 on April 10 and then to 1.12.4 with https://bugs.funtoo.org/browse/FL-6352 on April 13. The reason why those versions did not appear with ego sync on your computer you could have found on the bug report I posted above.

And if you had knowledge about this vulnerability earlier, why didn't you report it? Or even better, provided a fix?

I am not sure where and what builds were, but I trust 1.3 branch git commits history.

And do not blame me of missing links to any bug report, as you obviously missed whole point of my post  and cherry picking exactly things you want to answer to, while sticking to golang.

I did contribute to Funtoo when I could (yes it was long time ago, when Funtoo just started and Martin and other guys was in core team), but currently I have less time and opportunity to do it.

I did not report as I did not check what vulnerabilities golang or kubectl (somehow you did not comment on that one) have when I wrote the post (I work with those and I know there are some found this year). It was less important for me if they are vulnerable on Funtoo as in production I use golang docker images to build golang applications. 

 

2019-04-29-133225_1104x273_scrot.png

Share this post


Link to post
Share on other sites
17 minutes ago, zogg said:

I am not sure where and what builds were, but I trust 1.3 branch git commits history.

You might trust git history but you github is no longer the leading repository for funtoo. And it looks like the github repository was affected by the above mentioned bug, which did not generate and distribute the files from code.funtoo.org in that case. The real history can be found at: https://code.funtoo.org/bitbucket/projects/CORE/repos/kit-fixups/browse/lang-kit/curated/dev-lang/go

25 minutes ago, zogg said:

And do not blame me of missing links to any bug report, as you obviously missed whole point of my post  and cherry picking exactly things you want to answer to, while sticking to golang.

What missing links are you talking about? And I cherry picked on golang, as I did submit the new ebuilds and wanted to know if there is some merrit to your statements. But it seems that you just did not have all the information in that point.

 

29 minutes ago, zogg said:

I did not report as I did not check what vulnerabilities golang or kubectl (somehow you did not comment on that one) have when I wrote the post (I work with those and I know there are some found this year). It was less important for me if they are vulnerable on Funtoo as in production I use golang docker images to build golang applications.

I did not say anything about kubectl because you are right about that one. There are no new ebuilds since January: https://code.funtoo.org/bitbucket/projects/AUTO/repos/nokit/browse/sys-cluster/kubectl

But it seems that nobody was bothered enough to write a bug report or ebuild request for it.

Share this post


Link to post
Share on other sites


About go, in my opinion, it was far behind compared to most distros /even on dfbsd, which I use occasionally/. Especially after switching to 1.3, all I see is vim-* bump.
As I mentioned several times, I use funtoo to do my work, which is 90% backend dev, using go/php/js most of the time. For months go was behind, months. I personally have a local overlay, where all I do is versions bumps.
 

On 4/27/2019 at 6:33 PM, drobbins said:

@zogg if you are looking for others to do the work for you and keep everything up-to-date for you, this is not the right distro for you. We track CVEs that are reported on the bug tracker and we actively incorporate any CVE fixes. But they need to be reported on the bug tracker. Definitely use Gentoo if you want a bunch of developers to do all the work for you.

Hmm, you're saying that package updates are not meant to be part of the distro ? Smth like "every man for himself", right?

Well, thats smth new. Isnt the distro supposed to handle ports/package updates, fixes, enhancements, etc ...?!

Atm, the way I understand the "new direction", is smth like:

  1.  - no way to keep  up with current, as before, because there is no current - I hoped there is, no answer to that. It seems to me that at any moment you can change drastically distro direction, just like that.
  2.  - all port updates/CVE fixes|patches.. / all mods are handled by the user alone - so, if you want updates, whatever, you're on your own.

@drobbins can you short answer the last 2, just those 2 please.

Share this post


Link to post
Share on other sites

@mlinuxgada I'm not drobbins but I think you misread that statement.

I would answer your second question in the way, that the user does not handle it all alone, he can if he wants, but should at least file a bug report to let funtoo know about the problem. If he wants to do more, he is welcome to work on the problem, analyzing it or even solve it. All software projects rely on the users to report problems.

As for your first question. You first have to define what current is. In my eyes there is no current, there is just always something newer. Even gentoo is not current. They have more packages that are closer to the newest software versions but they also have the manpower and infrasturcture to do that. Even if funtoo would follow the updates from gentoo, it still requires some testing, as funtoo is not gentoo and not everything that is coming from gentoo works well in funtoo.

That are my few cents to your questions. The rest I leave to drobbins to answer and maybe correct me.

Share this post


Link to post
Share on other sites
11 minutes ago, jhan said:

@mlinuxgada I'm not drobbins but I think you misread that statement.

I would answer your second question in the way, that the user does not handle it all alone, he can if he wants, but should at least file a bug report to let funtoo know about the problem. If he wants to do more, he is welcome to work on the problem, analyzing it or even solve it. All software projects rely on the users to report problems.

 

If you need to report most of the things — it is kinda doing it yourself.

It is fair to tell that it's homebrew distro and noone owns you anything. But if you advertise your distro asstable and that it can be used in production, regardless of it being free or not — you need to provide certain standards.

There is a problem of small group of maintainers in Funtoo and it's logical that it would not have all fixes and there would still be problems. The question is the % of the user input vs maintainers work. 

If there is need for all users to always report - it's not everyday stable usage (at least if you use it not at home as desktop env)

Quote

As for your first question. You first have to define what current is. In my eyes there is no current, there is just always something newer. Even gentoo is not current. They have more packages that are closer to the newest software versions but they also have the manpower and infrasturcture to do that. Even if funtoo would follow the updates from gentoo, it still requires some testing, as funtoo is not gentoo and not everything that is coming from gentoo works well in funtoo.

It's not about newer (and gentoo has 9999 ebuilds, they are just hard masked). No one asks for the latests software that was released yesterday, but as mentioned above except vim there were barely any ebuild updates for more that few months. Even ubuntu which is LTS has newer packages. The question is the proportions and what distro advertise itself as.

Sure not everything in gentoo compatible and requires some manual changes (can it be automated?), but this is exactly the problem of "why use all power that is already not enuf for new features and break compatibility with gentoo which resources can be used? Would not it make Funtoo good as idea and innovation comparing to Gentoo, but it will stay as an idea, while it will always have not enuf users/maintainer" or maybe innovate less and work on automatic gentoo merge into funtoo till it has own maintainers and more users, so it can be more independent from gentoo and can be tweaked even more.

It all comes back to the roadmap and the calculation of your resources vs your plans in more realistic way.  

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...